[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] ModSecurity 2.5.10 Released
From: "Mark Lavi" <mlavi () sgi ! com>
Date: 2009-09-29 17:50:09
Message-ID: 074F0C4BE8F9FB4CB1410BF8D1E10B54748101 () CF--AMER002E--3 ! americas ! sgi ! com
[Download RAW message or body]
--===============6504811504693636314==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01CA412D.4A5CDE34"
This is a multi-part message in MIME format.
Agreed: increasing the scope of the ModSecurity distribution to include
an optional package isn't a good pragmatic choice for the reasons
already cited by Brian.
Furthermore, your example of RPM5 illustrates a reason for those
maintainers to bundle Lua (loss of some functionality), but the same
doesn't hold for ModSecurity.
External (Optional) dependencies are the reason for RPM, .deb, etc.
package management: perhaps this issue reveals some demand for a
non-source distribution of ModSecurity.
Cheers,
Mark Lavi
Senior Web Producer
sgi
46600 Landing Parkway
Fremont, CA 94538
(510) 933-5234 direct
mlavi@sgi.com <blocked::mailto:mlavi@sgi.com>
www.sgi.com <blocked::http://www.sgi.com/>
________________________________
From: yersinia [mailto:yersinia.spiros@gmail.com]
Sent: Saturday, September 26, 2009 2:10 AM
To: Brian Rectanus
Cc: Mike Duncan; mod-security-packagers@lists.sourceforge.net;
mod-security-users@lists.sourceforge.net
Subject: Re: [mod-security-users] ModSecurity 2.5.10 Released
On Fri, Sep 25, 2009 at 9:29 PM, Brian Rectanus <brectanu@gmail.com>
wrote:
ModSecurity has always required Lua 5.1.x. Perhaps this version
is
finding 5.0 by mistake instead of ignoring it? The
--without-lua
configure option should help you. I'll look at adding a version
check
to the next release.
Could be useful for ModSecurity, in order to improve the portability,
put in the tarball the corrected versions of lua, or pcre, .. and decide
to configure time (or with a switch to configure) whether to include the
private version or link to the one on the system? this is what rpm does
for years. Are you interested in this development ? I have some
experience with autofu and portability issue, some perhaps i can help in
trying but i preferer to ask first.
Thanks
thanks,
-B
On Fri, Sep 25, 2009 at 12:16 PM, Mike Duncan
<Mike.Duncan@noaa.gov> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A heads up...I think that this version requires lua 5.1.4
(possibly a
> little less version tho). I have RHEL 5.4 with lua 5.0.2 from
DAG
> installed currently and 2.5.9 seems fine. However, 2.5.10's
make fails...
>
> ===
> /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc
-prefer-pic
> - -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> - -fstack-protector --param=ssp-buffer-size=4 -m64
-mtune=generic
> - -fno-strict-aliasing -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE
-pthread
> - -I/usr/include/httpd -I/usr/include/apr-1
-I/usr/include/apr-1 -O2
> - -g -Wall -I/usr/include/httpd -I/usr/include/httpd -I.
> - -I/usr/include/apr-1 -I/usr/kerberos/include
-I/usr/include/libxml2
> - -I/usr/include -DWITH_LUA -c -o msc_lua.lo msc_lua.c &&
touch msc_lua.slo
> msc_lua.c: In function 'lua_compile':
> msc_lua.c:96: warning: implicit declaration of function
'luaL_openlibs'
> msc_lua.c: In function 'resolve_tfns':
> msc_lua.c:159: warning: implicit declaration of function
'lua_objlen'
> msc_lua.c: At top level:
> msc_lua.c:338: error: array type has incomplete element type
> msc_lua.c: In function 'lua_execute':
> msc_lua.c:378: warning: implicit declaration of function
'luaL_register'
> apxs:Error: Command failed with rc=65536
> .
> make: *** [mod_security2.la] Error 1
> ===
>
> On another RHEL 5.4 with lua 5.1.4 (devel as well) installed
everything
> compiles fine. You can download lua binary packages from here:
> http://luaforge.net/frs/?group_id=110.
>
> Let me know if I am wrong on the versioning or msising
something. I
> guess DAG has not updated this package in some time.
>
> Mike Duncan
> ISSO, Application Security Specialist
> Government Contractor with STG, Inc.
> NOAA :: National Climatic Data Center
>
>
> Brian Rectanus wrote:
>> ModSecurity 2.5.10 has been released and is now available.
>>
>> This release fixes a number of small issues. Notable issues
that have
>> been fixed are a cleaner build process, fixes to mlogc to
build on
>> Windows and allow more reliable SSL neg. to the console, less
verbose
>> logging when using anomaly scoring with CRS v2.x and a
feature to
>> allow easier use with Apache mpm-itk.
>>
>> Downloads and docs from modsecurity.org as usual.
>>
>>
>> 18 Sep 2009 - 2.5.10
>> --------------------
>> * Cleanup mlogc so that it builds on Windows.
>> * Added more detailed messages to replace "Unknown error" in
filters.
>> * Added SecAuditLogDirMode and SecAuditLogFileMode to allow
fine tuning
>> auditlog permissions (especially with mpm-itk).
>> * Cleanup SecUploadFileMode implementation.
>> * Cleanup build scripts.
>> * Fixed crash on configuration if SecMarker is used before
any rules.
>> * Fixed SecRuleUpdateActionById so that it will work on
chain starters.
>> * Cleanup build system for mlogc.
>> * Allow mlogc to periodically flush memory pools.
>> * Using nolog,auditlog will now log the "Message:" line to
the auditlog, but
>> nothing to the error log. Prior versions dropped the
"Message:" line from
>> both logs. To do this now, just use "nolog" or
"nolog,noauditlog".
>> * Forced mlogc to use SSLv3 to avoid some potential auto
negotiation
>> issues with some libcurl versions.
>> * Fixed mlogc issue seen on big endian machines where
content type
>> could be listed as zero.
>> * Removed extra newline from audit log message line when
logging XML errors.
>> This was causing problems parsing audit logs.
>> * Fixed @pm/@pmFromFile case insensitivity.
>> * Truncate long parameters in log message for "Match of ...
against ...
>> required" messages.
>> * Correctly resolve chained rule actions in logs.
>> * Cleanup some code for portability.
>> * AIX does not support hidden visibility with xlc compiler.
>> * Allow specifying EXTRA_CFLAGS during configure to override
gcc specific
>> values for non-gcc compilers.
>> * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as
documented.
>> * Handle a newer geo database more gracefully, avoiding a
potential crash for
>> new countries that ModSecurity is not yet aware.
>> * Allow checking &GEO "@eq 0" for a failed @geoLookup.
>> * Fixed mlogc global mutex locking issue and added more
debugging output.
>> * Cleaned up build dependencies and configure options.
>>
>>
------------------------------------------------------------------------
------
>> Come build with us! The BlackBerry® Developer Conference
in SF, CA
>> is the only developer event you need to attend this year.
Jumpstart your
>> developing skills, take BlackBerry mobile applications to
market and stay
>> ahead of the curve. Join us from November 9-12, 2009.
Register now!
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@lists.sourceforge.net
>>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Appliances, Rule Sets and Support:
>> http://www.modsecurity.org/breach/index.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
>
>
iEYEARECAAYFAkq9FwMACgkQnvIkv6fg9hZCnQCff0odqo/9ex1bkThN0IUXNBXf
> QHkAmwWop19wTZwhUmq4k1VOKv4JyHFH
> =y+b5
> -----END PGP SIGNATURE-----
>
------------------------------------------------------------------------
------
Come build with us! The BlackBerry® Developer Conference in
SF, CA
is the only developer event you need to attend this year.
Jumpstart your
developing skills, take BlackBerry mobile applications to market
and stay
ahead of the curve. Join us from November 9-12, 2009.
Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.5848" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=509314317-29092009><FONT face=Arial
color=#0000ff size=2>Agreed: increasing the scope of the ModSecurity
distribution to include an optional package isn't a good pragmatic
choice for the reasons already cited by Brian.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=509314317-29092009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=509314317-29092009><FONT face=Arial
color=#0000ff size=2>Furthermore, your example of RPM5 illustrates a reason for
those maintainers to bundle Lua (loss of some functionality), but the same
doesn't hold for ModSecurity.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=509314317-29092009>External (Optional) dependencies are the reason
for RPM, .deb, etc. package management: perhaps this issue
reveals some demand for a non-source distribution of
ModSecurity.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><SPAN class=509314317-29092009><FONT face=Arial color=#0000ff
size=2>Cheers,</FONT></SPAN></DIV>
<DIV align=left>
<P class=section1 align=left><B><SPAN
style="COLOR: black; FONT-FAMILY: Calibri">Mark Lavi<BR>Senior Web
Producer</SPAN></B></P>
<P class=section1><SPAN style="FONT-SIZE: 36pt">sgi</SPAN></P>
<P class=section1><B><SPAN style="FONT-FAMILY: Calibri">46600 Landing
Parkway<BR>Fremont, CA 94538<BR>(510) 933-5234 direct<BR><SPAN
style="COLOR: #8d8d8d"><A title=mailto:mlavi@sgi.com
href="blocked::mailto:mlavi@sgi.com">mlavi@sgi.com</A></SPAN> <BR><A
title=http://www.sgi.com
href="blocked::http://www.sgi.com/">www.sgi.com</A></SPAN></B></P></DIV>
<DIV> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> yersinia
[mailto:yersinia.spiros@gmail.com] <BR><B>Sent:</B> Saturday, September 26, 2009
2:10 AM<BR><B>To:</B> Brian Rectanus<BR><B>Cc:</B> Mike Duncan;
mod-security-packagers@lists.sourceforge.net;
mod-security-users@lists.sourceforge.net<BR><B>Subject:</B> Re:
[mod-security-users] ModSecurity 2.5.10 Released<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=gmail_quote>On Fri, Sep 25, 2009 at 9:29 PM, Brian Rectanus <SPAN
dir=ltr><<A
href="mailto:brectanu@gmail.com">brectanu@gmail.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) \
1px solid">ModSecurity has always required Lua 5.1.x. Perhaps this version \
is<BR>finding 5.0 by mistake instead of ignoring it? The \
--without-lua<BR>configure option should help you. I'll look at adding a \
version check<BR>to the next release.<BR><BR></BLOCKQUOTE>
<DIV>Could be useful for ModSecurity, in order to improve the portability, put
in the tarball the corrected versions of lua, or pcre, .. and decide to
configure time (or with a switch to configure) whether to include the private
version or link to the one on the system? this is what rpm does for years. Are
you interested in this development ? I have some experience with autofu and
portability issue, some perhaps i can help in trying but i preferer to ask
first.<BR>Thanks <BR></DIV>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) \
1px solid">thanks,<BR><FONT color=#888888>-B<BR></FONT>
<DIV>
<DIV></DIV>
<DIV class=h5><BR>On Fri, Sep 25, 2009 at 12:16 PM, Mike Duncan <<A
href="mailto:Mike.Duncan@noaa.gov">Mike.Duncan@noaa.gov</A>> wrote:<BR>>
-----BEGIN PGP SIGNED MESSAGE-----<BR>> Hash: SHA1<BR>><BR>> A heads
up...I think that this version requires lua 5.1.4 (possibly a<BR>> little
less version tho). I have RHEL 5.4 with lua 5.0.2 from DAG<BR>> installed
currently and 2.5.9 seems fine. However, 2.5.10's make
fails...<BR>><BR>> ===<BR>> /usr/lib64/apr-1/build/libtool --silent
--mode=compile gcc -prefer-pic<BR>> - -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions<BR>> - -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic<BR>> - -fno-strict-aliasing
-DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread<BR>> -
-I/usr/include/httpd -I/usr/include/apr-1 -I/usr/include/apr-1
-O2<BR>> - -g -Wall -I/usr/include/httpd -I/usr/include/httpd
-I.<BR>> - -I/usr/include/apr-1 -I/usr/kerberos/include
-I/usr/include/libxml2<BR>> - -I/usr/include -DWITH_LUA -c -o
msc_lua.lo msc_lua.c && touch msc_lua.slo<BR>> msc_lua.c: In
function 'lua_compile':<BR>> msc_lua.c:96: warning: implicit declaration of
function 'luaL_openlibs'<BR>> msc_lua.c: In function
'resolve_tfns':<BR>> msc_lua.c:159: warning: implicit declaration of
function 'lua_objlen'<BR>> msc_lua.c: At top level:<BR>> msc_lua.c:338:
error: array type has incomplete element type<BR>> msc_lua.c: In function
'lua_execute':<BR>> msc_lua.c:378: warning: implicit declaration of
function 'luaL_register'<BR>> apxs:Error: Command failed with
rc=65536<BR>> .<BR>> make: *** [<A href="http://mod_security2.la"
target=_blank>mod_security2.la</A>] Error 1<BR>> ===<BR>><BR>> On
another RHEL 5.4 with lua 5.1.4 (devel as well) installed everything<BR>>
compiles fine. You can download lua binary packages from here:<BR>> <A
href="http://luaforge.net/frs/?group_id=110"
target=_blank>http://luaforge.net/frs/?group_id=110</A>.<BR>><BR>> Let
me know if I am wrong on the versioning or msising something. I<BR>> guess
DAG has not updated this package in some time.<BR>><BR>> Mike
Duncan<BR>> ISSO, Application Security Specialist<BR>> Government
Contractor with STG, Inc.<BR>> NOAA :: National Climatic Data
Center<BR>><BR>><BR>> Brian Rectanus wrote:<BR>>> ModSecurity
2.5.10 has been released and is now available.<BR>>><BR>>> This
release fixes a number of small issues. Notable issues that
have<BR>>> been fixed are a cleaner build process, fixes to mlogc to
build on<BR>>> Windows and allow more reliable SSL neg. to the console,
less verbose<BR>>> logging when using anomaly scoring with CRS v2.x and
a feature to<BR>>> allow easier use with Apache
mpm-itk.<BR>>><BR>>> Downloads and docs from <A
href="http://modsecurity.org" target=_blank>modsecurity.org</A> as
usual.<BR>>><BR>>><BR>>> 18 Sep 2009 - 2.5.10<BR>>>
--------------------<BR>>> * Cleanup mlogc so that it builds on
Windows.<BR>>> * Added more detailed messages to replace "Unknown
error" in filters.<BR>>> * Added SecAuditLogDirMode and
SecAuditLogFileMode to allow fine tuning<BR>>> auditlog
permissions (especially with mpm-itk).<BR>>> * Cleanup
SecUploadFileMode implementation.<BR>>> * Cleanup build
scripts.<BR>>> * Fixed crash on configuration if SecMarker is used
before any rules.<BR>>> * Fixed SecRuleUpdateActionById so that it
will work on chain starters.<BR>>> * Cleanup build system for
mlogc.<BR>>> * Allow mlogc to periodically flush memory
pools.<BR>>> * Using nolog,auditlog will now log the "Message:"
line to the auditlog, but<BR>>> nothing to the error log.
Prior versions dropped the "Message:" line from<BR>>>
both logs. To do this now, just use "nolog" or
"nolog,noauditlog".<BR>>> * Forced mlogc to use SSLv3 to avoid
some potential auto negotiation<BR>>> issues with some
libcurl versions.<BR>>> * Fixed mlogc issue seen on big endian
machines where content type<BR>>> could be listed as
zero.<BR>>> * Removed extra newline from audit log message line
when logging XML errors.<BR>>> This was causing problems
parsing audit logs.<BR>>> * Fixed @pm/@pmFromFile case
insensitivity.<BR>>> * Truncate long parameters in log message for
"Match of ... against ...<BR>>> required"
messages.<BR>>> * Correctly resolve chained rule actions in
logs.<BR>>> * Cleanup some code for portability.<BR>>>
* AIX does not support hidden visibility with xlc compiler.<BR>>>
* Allow specifying EXTRA_CFLAGS during configure to override gcc
specific<BR>>> values for non-gcc compilers.<BR>>>
* Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as
documented.<BR>>> * Handle a newer geo database more gracefully,
avoiding a potential crash for<BR>>> new countries that
ModSecurity is not yet aware.<BR>>> * Allow checking &GEO "@eq
0" for a failed @geoLookup.<BR>>> * Fixed mlogc global mutex
locking issue and added more debugging output.<BR>>> * Cleaned up
build dependencies and configure options.<BR>>><BR>>>
------------------------------------------------------------------------------<BR>>> \
Come build with us! The BlackBerry&reg; Developer Conference in SF,
CA<BR>>> is the only developer event you need to attend this year.
Jumpstart your<BR>>> developing skills, take BlackBerry mobile
applications to market and stay<BR>>> ahead of the curve. Join us from
November 9&#45;12, 2009. Register now&#33;<BR>>> <A
href="http://p.sf.net/sfu/devconf"
target=_blank>http://p.sf.net/sfu/devconf</A><BR>>>
_______________________________________________<BR>>> mod-security-users
mailing list<BR>>> <A
href="mailto:mod-security-users@lists.sourceforge.net">mod-security-users@lists.sourceforge.net</A><BR>>> \
<A href="https://lists.sourceforge.net/lists/listinfo/mod-security-users"
target=_blank>https://lists.sourceforge.net/lists/listinfo/mod-security-users</A><BR>>> \
Commercial ModSecurity Appliances, Rule Sets and Support:<BR>>> <A
href="http://www.modsecurity.org/breach/index.html"
target=_blank>http://www.modsecurity.org/breach/index.html</A><BR>>
-----BEGIN PGP SIGNATURE-----<BR>> Version: GnuPG v1.4.9
(GNU/Linux)<BR>> Comment: Using GnuPG with Mozilla - <A
href="http://enigmail.mozdev.org/"
target=_blank>http://enigmail.mozdev.org/</A><BR>><BR>>
iEYEARECAAYFAkq9FwMACgkQnvIkv6fg9hZCnQCff0odqo/9ex1bkThN0IUXNBXf<BR>>
QHkAmwWop19wTZwhUmq4k1VOKv4JyHFH<BR>> =y+b5<BR>> -----END PGP
SIGNATURE-----<BR>><BR><BR>------------------------------------------------------------------------------<BR>Come \
build with us! The BlackBerry&reg; Developer Conference in SF, CA<BR>is
the only developer event you need to attend this year. Jumpstart
your<BR>developing skills, take BlackBerry mobile applications to market and
stay<BR>ahead of the curve. Join us from November 9&#45;12, 2009. Register
now&#33;<BR><A href="http://p.sf.net/sfu/devconf"
target=_blank>http://p.sf.net/sfu/devconf</A><BR>_______________________________________________<BR>mod-security-users \
mailing list<BR><A
href="mailto:mod-security-users@lists.sourceforge.net">mod-security-users@lists.sourceforge.net</A><BR><A \
href="https://lists.sourceforge.net/lists/listinfo/mod-security-users"
target=_blank>https://lists.sourceforge.net/lists/listinfo/mod-security-users</A><BR>Commercial \
ModSecurity Appliances, Rule Sets and Support:<BR><A
href="http://www.modsecurity.org/breach/index.html"
target=_blank>http://www.modsecurity.org/breach/index.html</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR></BODY></HTML>
[Attachment #4 (--===============6504811504693636314==)]
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic